Hacker says security flaw let him access any Facebook profile

The social network recently fixed a bug discovered by a developer who demonstrated how the loophole let him take over other people's accounts.

A security hacker recently found a flaw in a Facebook system that allowed developers to access anyone's Facebook account through app permissions.

Though Facebook has fixed this issue, Nir Goldshlager, a Web application security specialist who looks for these types of flaws professionally, found more app authorization bugs that need fixing, according to his blog. App permissions are what developers use to access the user data needed to run their apps. Users give them access permission when they install the apps.

"I found a couple more OAuth flaws in Facebook, just waiting for a fix to post about it," Goldshlager wrote in his blog, where he detailed his findings.

Facebook wouldn't comment on what other flaws Goldshlager may have found but did say the original bug he detected had not been taken advantage of by actual Facebook developers. The company didn't say when Goldshlager reported the flaw.

"We applaud the security researcher who brought this issue to our attention and for responsibly reporting the bug to our White Hat Program. We worked with the team to make sure we understood the full scope of the vulnerability, which allowed us to fix it without any evidence that this bug was exploited in the wild," a Facebook representative wrote in an e-mail to CNET. "Due to the responsible reporting of this issue to Facebook, we have no evidence that users were impacted by this bug. We have provided a bounty to the researcher to thank them for their contribution to Facebook Security."

The bug Goldschlager found allowed him to steal access tokens and gain full access to a profile as a developer. This included messages, pages management, ad management, private photos, and videos. This applied to profiles that didn't install extra apps because he could go through Facebook's built-in apps, like messenger, as well. The tokens for third-party apps didn't expire unless the victim changed his or her password, but the messenger app tokens for Facebook messenger never expired, he wrote.

Featured Video
This content is rated TV-MA, and is for viewers 18 years or older. Are you of age?
Sorry, you are not old enough to view this content.

Microsoft leaves Apple in the dust with tablet and laptop innovation in 2015

Will there be one Apple Ring to rule them all? That's what a patent application says. Plus, building the thinnest gadget isn't innovation anymore and Apple just got a reality check from Microsoft.

by Brian Tong